The sub-techniques beta is now live! Read the release blog post for more info.

Sandworm Team

Sandworm Team is a Russian cyber espionage group that has operated since approximately 2009. The group likely consists of Russian pro-hacktivists. Sandworm Team targets mainly Ukrainian entities associated with energy, industrial control systems, SCADA, government, and media. Sandworm Team has been linked to the Ukrainian energy sector attack in late 2015. [1] [2]

ID: G0034
Associated Groups: Quedagh, VOODOO BEAR
Version: 1.0
Created: 31 May 2017
Last Modified: 25 March 2019

Associated Group Descriptions

Name Description
Quedagh Based on similarities between TTPs, malware, and targeting, Sandworm Team and Quedagh appear to refer to the same group. [1] [3]


ID Name References Techniques
S0089 BlackEnergy [1] [3] Bypass User Account Control, Credentials from Web Browsers, Credentials in Files, Data Destruction, Fallback Channels, File and Directory Discovery, File System Permissions Weakness, Indicator Removal on Host, Input Capture, Network Service Scanning, New Service, Peripheral Device Discovery, Process Discovery, Process Injection, Registry Run Keys / Startup Folder, Screen Capture, Shortcut Modification, Standard Application Layer Protocol, System Information Discovery, System Network Configuration Discovery, System Network Connections Discovery, Windows Admin Shares, Windows Management Instrumentation